This vulnerability arises from an improper neutralization of special elements used in an SQL command within the bSecure – Your Universal Checkout plugin. The flaw allows blind SQL injection, meaning an attacker can construct malformed queries that leak information or alter database contents, without relying on error messages. The impact could compromise sensitive data stored in the WordPress database and threaten the integrity of the site’s transactional data.

Plugins made for WordPress named bSecure – Your Universal Checkout, specifically version 1.7.9 and earlier. The vulnerable code is present in all releases from the earliest available version up to the stated maximum, so any WordPress installation using these versions is susceptible.

The CVSS score of 9.3 classifies this flaw as critical, while the EPSS score of <1% indicates a currently low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply crafted input via the checkout workflow, a web‑accessible interface, and the exfiltration of blind query responses may require multiple attempts, inferred from the description of blind injection. Nonetheless, the high severity and potential impact warrant prompt action.